We release patches for security vulnerabilities. Currently supported versions:
| Version | Supported |
|---|---|
| 0.8.5 | ✅ |
| < 0.8.0 | ❌ |
Note: This project is in alpha stage. The API may change between minor versions until 1.0.0 is released.
We take the security of Postman SDK seriously. If you believe you have found a security vulnerability, please report it to us as described below.
- Do not open a public GitHub issue for security vulnerabilities
- Do not discuss the vulnerability in public forums, social media, or other public channels
Email: Please report security vulnerabilities to the repository maintainers via GitHub's private vulnerability reporting feature or by creating a private security advisory.
Steps to Report:
- Go to the Security tab of the repository
- Click "Report a vulnerability"
- Fill out the security advisory form with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
What to Include:
- Type of vulnerability (e.g., authentication bypass, injection, etc.)
- Full paths of affected source files
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability, including how an attacker might exploit it
After submitting a report, you can expect:
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Assessment: We will investigate and assess the vulnerability within 5 business days
- Updates: We will keep you informed about the progress of the fix
- Resolution: We will work on a fix and aim to release a patched version as soon as possible
- Credit: With your permission, we will credit you in the release notes and security advisory
- Coordinated Disclosure: We prefer coordinated disclosure
- Timeline: We request that you give us reasonable time to address the vulnerability before public disclosure
- Mutual Respect: We will work with you in good faith to address legitimate security concerns
When using this SDK:
-
Never commit API keys to version control
- Use environment variables:
POSTMAN_API_KEY - Add
.envfiles to.gitignore
- Use environment variables:
-
Rotate API keys regularly
- Generate new keys periodically
- Revoke old keys after rotation
-
Limit API key scope
- Use API keys with minimal required permissions
- Create separate keys for different environments (dev, staging, prod)
-
Keep dependencies updated
npm audit npm update
-
Review dependency vulnerabilities
npm audit fix
-
Use the latest SDK version
- Check for updates regularly
- Review changelogs for security fixes
- Use HTTPS - The SDK always uses HTTPS for API calls
- Validate responses - Always validate API responses before using data
- Handle errors securely - Don't expose sensitive error details to end users
- Separate environments - Use different workspaces/collections for dev, staging, and production
- Test in isolation - Run tests in dedicated test workspaces
- Clean up test data - Remove test resources after testing
- API keys are read from environment variables
- Never hardcode API keys in your code
- Use secure secret management in production environments
- The SDK persists test IDs in
test-ids.jsonfor functional tests - This file is git-ignored by default
- Ensure it remains excluded from version control
- Contains workspace IDs and resource IDs (not sensitive, but should not be public)
- Functional tests make real API calls
- Use dedicated test workspaces
- Use test API keys with limited scope
- Never run tests against production resources
When a security vulnerability is addressed:
- A security advisory will be published
- A patched version will be released
- The vulnerability will be documented in the changelog
- Users will be notified through GitHub releases
If you have questions about this security policy, please open a discussion in the GitHub Discussions (for non-sensitive questions) or contact the maintainers privately for security-related inquiries.
Last Updated: December 25, 2024